What to know about the new civil cyber-fraud initiative — Resurface

The Biden administration continues its efforts to improve U.S. cybersecurity with a recent announcement by Deputy Attorney General Lisa Monaco of a new civil cyber-fraud initiative. This announcement is more evidence that companies need to get their security house in order.

President Biden has made cybersecurity a top priority for the Biden-Harris administration. This began with his May 12 Executive Order which states that the “prevention, detection, assessment and remediation of cyber incidents is essential to national and economic security.” Stating that the Federal Government must lead by example, the Executive Order focused on how government agencies, as well as the vendors and contractors who sell to them, could improve their security posture. As a result, federal agencies have been responding to the mandates of the Executive Order. This recent Department of Justice announcement is an attempt to put some teeth into the requirements with the threat of large fines on federal contractors that fail to meet required cybersecurity standards including the disclosure of cybersecurity breaches.

Actions and penalties for cybersecurity fraud

The Department of Justice (DOJ) intends to use the federal False Claims Act, a law that allows the government to bring claims against people or organizations that defraud the United States government, to pursue what it calls cybersecurity-related fraud by government contractors and grant recipients. DOJ stated that this could include “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

How this could work in practice starts with the cybersecurity standards being developed by Federal agencies. The intent of Biden’s Executive Order was to have the Federal government lead by example by establishing baseline standards for cybersecurity, including for their vendors. To ensure that the standards are being met, the government will likely require any company providing goods and services to Federal agencies to certify that it has complied with the cybersecurity requirements — including a requirement to report cybersecurity breaches. The Department of Justice would then have the ability to bring claims against any person or entity that they find falsely certified that it was in compliance, or that did not report a cybersecurity breach.

In announcing the initiative, Deputy AG Monaco stated,

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and report it. Well, that changes today.”

Changing the risk calculations for cybersecurity

Undoubtedly, many companies have not been prioritizing cybersecurity because they have not seen a failure to meet cybersecurity standards as a significant financial risk. Clearly, these risk calculations have now changed for government contractors. Faced with these risks, we would expect that government contractors will increase their efforts to make sure that they are in compliance with the Federal requirements. But once government contractors are required to certify that they are in compliance with Federal cybersecurity requirements, we would also expect that these contractors will begin to require their suppliers to certify that they also are in compliance with these standards beginning the process of making the Federal requirements the de facto standard for all companies.

Cybersecurity experts talk about layers of protection. These typically include perimeter security, network security, application security, and data security. The National Institute of Standards and Technology (NIST) developed a cybersecurity framework organized around five functions: Identify, Protect, Detect, Respond, and Recover. When these are combined as in the chart below by John Yan, it is easy to see that early security efforts and solutions tended to focus on the Protect function regardless of the security level (e.g., firewalls, filtering, and VPNs). More recently, we have seen an increased focus on the Detect function with the use of SIEMs and various security monitoring solutions.

As Federal cybersecurity requirements become the standard, and efforts to protect are deemed insufficient due to the growing number of malicious actors, private enterprises will increasingly need to consider how to address the Detect, Respond, and Recover functions.

We endorse a layered approach to security. It is helpful to think of these layers existing within the five NIST functions as show here. A complete security program needs to consider each layer and every function. It should start with the Identity function and move to the Protect function. However, any effort to protect can fail, given enough actors attacking whatever it is designed to protect. So, the Detect function is becoming more critical than ever.

When it comes to detection, not all solutions are the same. The ability to respond and recover are directly related to the information collected in the Detect function. To that end, Resurface provides alerts on security threats, with one-click access to the full request and response payload of every API call for complete context. This runtime API data serves to harden applications against future attacks or aid in recovery from a completed or ongoing attack.

The Federal cybersecurity standard continues to evolve, covering not just protection, but detection, response, and recovery. We believe forward-thinking companies should continue to evolve their security programs to cover this spectrum for a complete cybersecurity strategy.

The Biden administration continues its efforts to improve U.S. cybersecurity with a recent announcement by Deputy Attorney General Lisa Monaco of a new civil cyber-fraud initiative. This announcement is more evidence that companies need to get their security house in order.

President Biden has made cybersecurity a top priority for the Biden-Harris administration. This began with his May 12 Executive Order which states that the “prevention, detection, assessment and remediation of cyber incidents is essential to national and economic security.” Stating that the Federal Government must lead by example, the Executive Order focused on how government agencies, as well as the vendors and contractors who sell to them, could improve their security posture. As a result, federal agencies have been responding to the mandates of the Executive Order. This recent Department of Justice announcement is an attempt to put some teeth into the requirements with the threat of large fines on federal contractors that fail to meet required cybersecurity standards including the disclosure of cybersecurity breaches.

Actions and penalties for cybersecurity fraud

The Department of Justice (DOJ) intends to use the federal False Claims Act, a law that allows the government to bring claims against people or organizations that defraud the United States government, to pursue what it calls cybersecurity-related fraud by government contractors and grant recipients. DOJ stated that this could include “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

How this could work in practice starts with the cybersecurity standards being developed by Federal agencies. The intent of Biden’s Executive Order was to have the Federal government lead by example by establishing baseline standards for cybersecurity, including for their vendors. To ensure that the standards are being met, the government will likely require any company providing goods and services to Federal agencies to certify that it has complied with the cybersecurity requirements — including a requirement to report cybersecurity breaches. The Department of Justice would then have the ability to bring claims against any person or entity that they find falsely certified that it was in compliance, or that did not report a cybersecurity breach.

In announcing the initiative, Deputy AG Monaco stated,

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and report it. Well, that changes today.”

Changing the risk calculations for cybersecurity

Undoubtedly, many companies have not been prioritizing cybersecurity because they have not seen a failure to meet cybersecurity standards as a significant financial risk. Clearly, these risk calculations have now changed for government contractors. Faced with these risks, we would expect that government contractors will increase their efforts to make sure that they are in compliance with the Federal requirements. But once government contractors are required to certify that they are in compliance with Federal cybersecurity requirements, we would also expect that these contractors will begin to require their suppliers to certify that they also are in compliance with these standards beginning the process of making the Federal requirements the de facto standard for all companies.

Cybersecurity experts talk about layers of protection. These typically include perimeter security, network security, application security, and data security. The National Institute of Standards and Technology (NIST) developed a cybersecurity framework organized around five functions: Identify, Protect, Detect, Respond, and Recover. When these are combined as in the chart below by John Yan, it is easy to see that early security efforts and solutions tended to focus on the Protect function regardless of the security level (e.g., firewalls, filtering, and VPNs). More recently, we have seen an increased focus on the Detect function with the use of SIEMs and various security monitoring solutions.

As Federal cybersecurity requirements become the standard, and efforts to protect are deemed insufficient due to the growing number of malicious actors, private enterprises will increasingly need to consider how to address the Detect, Respond, and Recover functions.

We endorse a layered approach to security. It is helpful to think of these layers existing within the five NIST functions as show here. A complete security program needs to consider each layer and every function. It should start with the Identity function and move to the Protect function. However, any effort to protect can fail, given enough actors attacking whatever it is designed to protect. So, the Detect function is becoming more critical than ever.

When it comes to detection, not all solutions are the same. The ability to respond and recover are directly related to the information collected in the Detect function. To that end, Resurface provides alerts on security threats, with one-click access to the full request and response payload of every API call for complete context. This runtime API data serves to harden applications against future attacks or aid in recovery from a completed or ongoing attack.

The Federal cybersecurity standard continues to evolve, covering not just protection, but detection, response, and recovery. We believe forward-thinking companies should continue to evolve their security programs to cover this spectrum for a complete cybersecurity strategy.

Originally published at https://resurface.io on October 13, 2021.